package org.xipki.ocsp.server.store.ejbca;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import com.alibaba.fastjson.serializer.SerializerFeature;
import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.CertificateException;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.datasource.DataAccessException;
import org.xipki.datasource.DataSourceWrapper;
import org.xipki.ocsp.api.CertStatusInfo;
import org.xipki.ocsp.api.OcspStore;
import org.xipki.ocsp.api.OcspStoreException;
import org.xipki.ocsp.api.RequestIssuer;
import org.xipki.ocsp.server.IssuerFilter;
import org.xipki.ocsp.server.OcspServerConf;
import org.xipki.security.CertRevocationInfo;
import org.xipki.security.CrlReason;
import org.xipki.security.HashAlgo;
import org.xipki.security.X509Cert;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.Hex;
import org.xipki.util.LogUtil;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/ocsp/server/store/ejbca/EjbcaCertStatusStore.class */
public class EjbcaCertStatusStore extends OcspStore {
    private static final Logger LOG = LoggerFactory.getLogger(EjbcaCertStatusStore.class);
    private final HashAlgo certHashAlgo = HashAlgo.SHA1;
    private final StoreUpdateService storeUpdateService = new StoreUpdateService();
    private final AtomicBoolean storeUpdateInProcess = new AtomicBoolean(false);
    private final Object lock = new Object();
    private DataSourceWrapper datasource;
    private String sqlCs;
    private String sqlCsWithCertHash;
    private IssuerFilter issuerFilter;
    private EjbcaIssuerStore issuerStore;
    private boolean initialized;
    private boolean initializationFailed;
    private ScheduledThreadPoolExecutor scheduledThreadPoolExecutor;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/xipki/ocsp/server/store/ejbca/EjbcaCertStatusStore$StoreUpdateService.class */
    public class StoreUpdateService implements Runnable {
        private StoreUpdateService() {
        }

        @Override // java.lang.Runnable
        public void run() {
            EjbcaCertStatusStore.this.updateIssuerStore();
        }
    }

    protected List<Runnable> getScheduledServices() {
        return Arrays.asList(this.storeUpdateService);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Finally extract failed */
    public void updateIssuerStore() {
        PreparedStatement preparedStatement;
        String extractTextFromCaData;
        if (this.storeUpdateInProcess.get()) {
            return;
        }
        synchronized (this.lock) {
            try {
                this.storeUpdateInProcess.set(true);
                try {
                    preparedStatement = preparedStatement("SELECT data FROM CAData");
                } catch (Throwable th) {
                    LogUtil.error(LOG, th, "error while executing updateIssuerStore()");
                    this.initializationFailed = true;
                    this.initialized = true;
                    this.storeUpdateInProcess.set(false);
                }
                try {
                    HashMap hashMap = new HashMap();
                    ResultSet executeQuery = preparedStatement.executeQuery();
                    while (executeQuery.next()) {
                        String string = executeQuery.getString("data");
                        if ("1".contentEquals(extractTextFromCaData(string, "catype", "int")) && (extractTextFromCaData = extractTextFromCaData(string, "certificatechain", "string")) != null) {
                            EjbcaIssuerEntry ejbcaIssuerEntry = new EjbcaIssuerEntry(X509Util.parseCert(StringUtil.toUtf8Bytes(extractTextFromCaData.trim())));
                            String id = ejbcaIssuerEntry.getId();
                            if (this.issuerFilter.includeIssuerWithSha1Fp(id)) {
                                RequestIssuer requestIssuer = new RequestIssuer(HashAlgo.SHA1, ejbcaIssuerEntry.getEncodedHash(HashAlgo.SHA1));
                                Iterator it = hashMap.values().iterator();
                                while (it.hasNext()) {
                                    if (((EjbcaIssuerEntry) it.next()).matchHash(requestIssuer)) {
                                        throw new Exception("found at least two issuers with the same subject and key");
                                    }
                                }
                                String extractTextFromCaData2 = extractTextFromCaData(string, "revokationreason", "int");
                                if (extractTextFromCaData2 != null && !"-1".contentEquals(extractTextFromCaData2)) {
                                    String extractTextFromCaData3 = extractTextFromCaData(string, "revokationdate", "long");
                                    ejbcaIssuerEntry.setRevocationInfo((extractTextFromCaData3 == null || "-1".contentEquals(extractTextFromCaData3)) ? new Date() : new Date(Long.parseLong(extractTextFromCaData3)));
                                }
                                hashMap.put(id, ejbcaIssuerEntry);
                            }
                        }
                    }
                    Set keySet = hashMap.keySet();
                    Set ids = this.issuerStore != null ? this.issuerStore.getIds() : Collections.emptySet();
                    boolean z = ids.size() == keySet.size() && ids.containsAll(keySet) && keySet.containsAll(ids);
                    if (z) {
                        Iterator it2 = keySet.iterator();
                        while (true) {
                            if (!it2.hasNext()) {
                                break;
                            }
                            String str = (String) it2.next();
                            if (!((EjbcaIssuerEntry) hashMap.get(str)).equals(this.issuerStore.getIssuerForId(str))) {
                                z = false;
                                break;
                            }
                        }
                    }
                    if (z) {
                        releaseDbResources(preparedStatement, executeQuery);
                        this.storeUpdateInProcess.set(false);
                        return;
                    }
                    this.initialized = false;
                    this.issuerStore = new EjbcaIssuerStore(hashMap.values());
                    LOG.info("Updated issuers: {}", this.name);
                    this.initializationFailed = false;
                    this.initialized = true;
                    releaseDbResources(preparedStatement, executeQuery);
                    this.storeUpdateInProcess.set(false);
                } catch (Throwable th2) {
                    releaseDbResources(preparedStatement, null);
                    throw th2;
                }
            } catch (Throwable th3) {
                this.storeUpdateInProcess.set(false);
                throw th3;
            }
        }
    }

    protected CertStatusInfo getCertStatus0(Date date, RequestIssuer requestIssuer, BigInteger bigInteger, boolean z, boolean z2, boolean z3) throws OcspStoreException {
        CertStatusInfo revokedCertStatusInfo;
        if (z2) {
            throw new OcspStoreException("EJBCA store does not support includeRit");
        }
        if (bigInteger.signum() != 1) {
            return CertStatusInfo.getUnknownCertStatusInfo(new Date(), (Date) null);
        }
        if (!this.initialized) {
            throw new OcspStoreException("initialization of CertStore is still in process");
        }
        if (this.initializationFailed) {
            throw new OcspStoreException("initialization of CertStore failed");
        }
        try {
            EjbcaIssuerEntry issuerForFp = this.issuerStore.getIssuerForFp(requestIssuer);
            if (issuerForFp == null) {
                return null;
            }
            String str = z ? this.sqlCsWithCertHash : this.sqlCs;
            Date date2 = new Date();
            boolean z4 = true;
            boolean z5 = false;
            String str2 = null;
            boolean z6 = false;
            int i = 0;
            long j = 0;
            PreparedStatement prepareStatement = this.datasource.prepareStatement(str);
            try {
                try {
                    prepareStatement.setString(1, issuerForFp.getId());
                    prepareStatement.setString(2, bigInteger.toString());
                    ResultSet executeQuery = prepareStatement.executeQuery();
                    if (executeQuery.next()) {
                        z4 = false;
                        long time = date.getTime();
                        if (0 == 0 && this.ignoreNotYetValidCert && time < executeQuery.getLong("notBefore")) {
                            z5 = true;
                        }
                        if (!z5 && this.ignoreExpiredCert && time > executeQuery.getLong("expireDate")) {
                            z5 = true;
                        }
                        if (!z5) {
                            if (z) {
                                str2 = executeQuery.getString("fingerprint");
                            }
                            z6 = executeQuery.getInt("status") == 40;
                            if (z6) {
                                i = executeQuery.getInt("revocationReason");
                                j = executeQuery.getLong("revocationDate") / 1000;
                            }
                        }
                    }
                    releaseDbResources(prepareStatement, executeQuery);
                    if (z4) {
                        revokedCertStatusInfo = CertStatusInfo.getUnknownCertStatusInfo(date2, (Date) null);
                    } else if (z5) {
                        revokedCertStatusInfo = CertStatusInfo.getIgnoreCertStatusInfo(date2, (Date) null);
                    } else {
                        byte[] decode = str2 == null ? null : Hex.decode(str2);
                        revokedCertStatusInfo = z6 ? CertStatusInfo.getRevokedCertStatusInfo(new CertRevocationInfo(i, new Date(j * 1000), (Date) null), this.certHashAlgo, decode, date2, (Date) null, (String) null) : CertStatusInfo.getGoodCertStatusInfo(this.certHashAlgo, decode, date2, (Date) null, (String) null);
                    }
                    if (this.includeArchiveCutoff && this.retentionInterval != 0) {
                        revokedCertStatusInfo.setArchiveCutOff(this.retentionInterval < 0 ? issuerForFp.getNotBefore() : new Date(Math.max(issuerForFp.getNotBefore().getTime(), System.currentTimeMillis() - (86400000 * this.retentionInterval))));
                    }
                    if (!z3 || issuerForFp.getRevocationInfo() == null) {
                        return revokedCertStatusInfo;
                    }
                    CertRevocationInfo revocationInfo = issuerForFp.getRevocationInfo();
                    CertStatusInfo.CertStatus certStatus = revokedCertStatusInfo.getCertStatus();
                    boolean z7 = false;
                    if (certStatus == CertStatusInfo.CertStatus.GOOD) {
                        z7 = true;
                    } else if (certStatus == CertStatusInfo.CertStatus.UNKNOWN || certStatus == CertStatusInfo.CertStatus.IGNORE) {
                        if (this.unknownCertBehaviour == CertStatusInfo.UnknownCertBehaviour.good) {
                            z7 = true;
                        }
                    } else if (certStatus == CertStatusInfo.CertStatus.REVOKED && revokedCertStatusInfo.getRevocationInfo().getRevocationTime().after(revocationInfo.getRevocationTime())) {
                        z7 = true;
                    }
                    if (z7) {
                        revokedCertStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(revocationInfo.getReason() == CrlReason.CA_COMPROMISE ? revocationInfo : new CertRevocationInfo(CrlReason.CA_COMPROMISE, revocationInfo.getRevocationTime(), revocationInfo.getInvalidityTime()), revokedCertStatusInfo.getCertHashAlgo(), revokedCertStatusInfo.getCertHash(), revokedCertStatusInfo.getThisUpdate(), revokedCertStatusInfo.getNextUpdate(), revokedCertStatusInfo.getCertprofile());
                    }
                    return revokedCertStatusInfo;
                } catch (Throwable th) {
                    releaseDbResources(prepareStatement, null);
                    throw th;
                }
            } catch (SQLException e) {
                throw this.datasource.translate(str, e);
            }
        } catch (DataAccessException e2) {
            throw new OcspStoreException(e2.getMessage(), e2);
        }
    }

    private PreparedStatement preparedStatement(String str) throws DataAccessException {
        return this.datasource.prepareStatement(str);
    }

    public boolean isHealthy() {
        if (!isInitialized() || isInitializationFailed()) {
            return false;
        }
        try {
            PreparedStatement preparedStatement = preparedStatement("SELECT cAId FROM CAData");
            ResultSet resultSet = null;
            try {
                resultSet = preparedStatement.executeQuery();
                releaseDbResources(preparedStatement, resultSet);
                return true;
            } catch (Throwable th) {
                releaseDbResources(preparedStatement, resultSet);
                throw th;
            }
        } catch (Exception e) {
            LogUtil.error(LOG, e);
            return false;
        }
    }

    private void releaseDbResources(Statement statement, ResultSet resultSet) {
        this.datasource.releaseResources(statement, resultSet);
    }

    public void init(Map<String, ? extends Object> map, DataSourceWrapper dataSourceWrapper) throws OcspStoreException {
        Object obj;
        if (this.includeCrlId) {
            throw new OcspStoreException("includeCrlId must not be true");
        }
        OcspServerConf.CaCerts caCerts = null;
        if (map != null && (obj = map.get("caCerts")) != null) {
            caCerts = (OcspServerConf.CaCerts) JSON.parseObject(JSON.toJSONBytes(obj, new SerializerFeature[0]), OcspServerConf.CaCerts.class, new Feature[0]);
        }
        this.datasource = (DataSourceWrapper) Args.notNull(dataSourceWrapper, "datasource");
        this.sqlCs = dataSourceWrapper.buildSelectFirstSql(1, "notBefore,expireDate,status,revocationReason,revocationDate FROM CertificateData WHERE cAFingerprint=? AND serialNumber=?");
        this.sqlCsWithCertHash = dataSourceWrapper.buildSelectFirstSql(1, "fingerprint,notBefore,expireDate,status,revocationReason,revocationDate FROM CertificateData WHERE cAFingerprint=? AND serialNumber=?");
        Set<X509Cert> set = null;
        Set<X509Cert> set2 = null;
        if (caCerts != null) {
            try {
                if (CollectionUtil.isNotEmpty(caCerts.getIncludes())) {
                    set = parseCerts(caCerts.getIncludes());
                }
                if (CollectionUtil.isNotEmpty(caCerts.getExcludes())) {
                    set2 = parseCerts(caCerts.getExcludes());
                }
            } catch (CertificateException e) {
                throw new OcspStoreException(e.getMessage(), e);
            }
        }
        this.issuerFilter = new IssuerFilter(set, set2);
        updateIssuerStore();
        if (this.scheduledThreadPoolExecutor != null) {
            this.scheduledThreadPoolExecutor.shutdownNow();
        }
        if (this.updateInterval != null) {
            List<Runnable> scheduledServices = getScheduledServices();
            int size = scheduledServices == null ? 0 : scheduledServices.size();
            if (size > 0) {
                this.scheduledThreadPoolExecutor = new ScheduledThreadPoolExecutor(size);
                Random random = new Random();
                long approxMinutes = this.updateInterval.approxMinutes() * 60;
                Iterator<Runnable> it = scheduledServices.iterator();
                while (it.hasNext()) {
                    this.scheduledThreadPoolExecutor.scheduleAtFixedRate(it.next(), approxMinutes + random.nextInt(60), approxMinutes, TimeUnit.SECONDS);
                }
            }
        }
    }

    public void close() {
        if (this.scheduledThreadPoolExecutor != null) {
            this.scheduledThreadPoolExecutor.shutdown();
            this.scheduledThreadPoolExecutor = null;
        }
        if (this.datasource != null) {
            this.datasource.close();
        }
    }

    public boolean knowsIssuer(RequestIssuer requestIssuer) {
        return null != this.issuerStore.getIssuerForFp(requestIssuer);
    }

    public X509Cert getIssuerCert(RequestIssuer requestIssuer) {
        EjbcaIssuerEntry issuerForFp = this.issuerStore.getIssuerForFp(requestIssuer);
        if (issuerForFp == null) {
            return null;
        }
        return issuerForFp.getCert();
    }

    protected boolean isInitialized() {
        return this.initialized;
    }

    protected boolean isInitializationFailed() {
        return this.initializationFailed;
    }

    private static Set<X509Cert> parseCerts(Collection<String> collection) throws OcspStoreException {
        HashSet hashSet = new HashSet(collection.size());
        for (String str : collection) {
            try {
                hashSet.add(X509Util.parseCert(new File(str)));
            } catch (IOException | CertificateException e) {
                throw new OcspStoreException("could not parse X.509 certificate from file " + str + ": " + e.getMessage(), e);
            }
        }
        return hashSet;
    }

    private static String extractTextFromCaData(String str, String str2, String str3) {
        int length;
        int indexOf;
        String str4 = "<string>" + str2 + "</string>";
        int indexOf2 = str.indexOf(str4);
        if (indexOf2 == -1) {
            return null;
        }
        String str5 = "<" + str3 + ">";
        String str6 = "</" + str3 + ">";
        int indexOf3 = str.indexOf(str5, indexOf2 + str4.length());
        if (indexOf3 == -1 || (indexOf = str.indexOf(str6, (length = indexOf3 + str5.length()))) == -1) {
            return null;
        }
        return str.substring(length, indexOf);
    }
}
